[Freeipa] [Bug 1772450] Re: freeipa server -- problems with certificates
So far, the only clue I can find in the logs is a 'null' value for authType and principal: [ajp-nio-127.0.0.1-8009-exec-1] INFO com.netscape.cms.tomcat.ExternalAuthenticationValve - ExternalAuthenticationValve: authType: null [ajp-nio-127.0.0.1-8009-exec-1] INFO com.netscape.cms.tomcat.ExternalAuthenticationValve - ExternalAuthenticationValve: principal: null -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772450 Title: freeipa server -- problems with certificates Status in freeipa package in Ubuntu: Confirmed Bug description: After having installed FreeIPA server on Ubuntu 18.04 and having sorted out all the other bugs, I still have problems with certificates. In the web interface, every attempt to select the "Authentication -> Certificates" tab ends with the following error IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1) The problem also occur with command line utilities. For example, 'ipa cert-show 1' returns the error: 'ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772450/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772450] Re: freeipa server -- problems with certificates
Strange. I am able to execute 'pki cert-find' without error. $ pki cert-find SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/usr/share/java/slf4j-jdk14.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/usr/share/java/slf4j-simple.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.JDK14LoggerFactory] 13 entries found ... Is there some other stage you think may be responsible for the error? I can dig into the Java layer if you have any hypotheses that lead there... -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772450 Title: freeipa server -- problems with certificates Status in freeipa package in Ubuntu: Confirmed Bug description: After having installed FreeIPA server on Ubuntu 18.04 and having sorted out all the other bugs, I still have problems with certificates. In the web interface, every attempt to select the "Authentication -> Certificates" tab ends with the following error IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1) The problem also occur with command line utilities. For example, 'ipa cert-show 1' returns the error: 'ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772450/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772450] Re: freeipa server -- problems with certificates
I would like to help debug this. Like gianluca, I've managed to sort out the other bugs and am hitting this certificate issue. Where can I find the Git repository for 4.7.0-pre2? The associated repos only seem to contain 4.7.0-pre1 https://code.launchpad.net/ubuntu/+source/freeipa/+git -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772450 Title: freeipa server -- problems with certificates Status in freeipa package in Ubuntu: New Bug description: After having installed FreeIPA server on Ubuntu 18.04 and having sorted out all the other bugs, I still have problems with certificates. In the web interface, every attempt to select the "Authentication -> Certificates" tab ends with the following error IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1) The problem also occur with command line utilities. For example, 'ipa cert-show 1' returns the error: 'ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772450/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Is there a recommended workaround? For example, install without DNS
support and use a separate bind installation?
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
Confirmed
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1653245] Re: python-ipalib is missing authconfig
Timo, can you post a link to the Git repository that hosts the patch? Apologies if I've missed it. I know of these: * https://anonscm.debian.org/git/pkg-freeipa/freeipa.git * https://launchpad.net/freeipa Much appreciated! -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1653245 Title: python-ipalib is missing authconfig Status in freeipa package in Ubuntu: Fix Committed Bug description: When doing ipa-backup it will eventually want to do a backup of authconfig. This is a RedHat specific tool, but there is no Ubuntu/Debian replacement. ipa-backup will fail with a Python stack trace. 2016-12-30T10:36:02Z DEBUG Starting external process 2016-12-30T10:36:02Z DEBUG args=/usr/sbin/authconfig --savebackup /var/lib/ipa/auth_backup 2016-12-30T10:36:02Z DEBUG Process execution failed 2016-12-30T10:36:02Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_backup.py", line 310, in run tasks.backup_auth_configuration(auth_backup_path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/tasks.py", line 195, in backup_auth_configuration auth_config.backup(path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/authconfig.py", line 91, in backup ipautil.run(["/usr/sbin/authconfig", "--savebackup", path]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 423, in run preexec_fn=preexec_fn) File "/usr/lib/python2.7/subprocess.py", line 711, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child raise child_exception 2016-12-30T10:36:02Z DEBUG The ipa-backup command failed, exception: OSError: [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR The ipa-backup command failed. See /var/log/ipabackup.log for more information To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1653245/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
